Arch Linux Security Advisory ASA-201509-7 ========================================= Severity: Medium Date : 2015-09-21 CVE-ID : CVE-2015-5714 CVE-2015-5715 Package : wordpress Type : multiple issues Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package wordpress before version 4.3.1-1 is vulnerable to multiple issues including cross-side scripting and permission bypass. Resolution ========== Upgrade to 4.3.1-1. # pacman -Syu "wordpress>=4.3.1-1" The problem has been fixed upstream in version 4.3.1. Workaround ========== None. Description =========== - CVE-2015-5714 (cross-side scripting) A cross-site scripting vulnerability has been discovered when processing shortcode tags. - CVE-2015-5715 (permission bypass) It has been discovered that users without proper permissions could publish private posts and make them sticky. Impact ====== A remote attacker is able to perform a cross-side scripting attack via shortcode tags or create sticky notes without proper permissions. References ========== https://wordpress.org/news/2015/09/wordpress-4-3-1/ https://access.redhat.com/security/cve/CVE-2015-5714 https://access.redhat.com/security/cve/CVE-2015-5715 https://bugs.archlinux.org/task/46340